A recent report from the Government Accountability Office (GAO) highlights the pressing need for the Environmental Protection Agency (EPA) to enhance its cybersecurity support for the water sector. Amid increasing state-backed cyber threats, the GAO underscores the urgency for the EPA to formulate a national strategy to address the various cyber risks facing the sector. Officials have identified a lack of foundational cybersecurity practices and limited resources as significant obstacles. Historically, incidents involving hackers from Iran, China, and Russia have exposed vulnerabilities within U.S. water systems, emphasizing the need for stronger cyber defenses.
Challenges in Cybersecurity Culture
The GAO report indicates that the water sector struggles to cultivate a comprehensive cybersecurity culture. This deficiency has led to inadequate cyber hygiene, compounded by resource constraints as physical infrastructure maintenance costs rise. Despite the Biden administration’s prioritization of water sector cybersecurity, the industry has resisted regulatory mandates aimed at improving cyber defenses.
Risk Assessments and Strategic Planning
The report reveals that the EPA has yet to conduct a sector-wide risk assessment or implement a risk-informed strategy, which are essential for effective risk mitigation. Without these, the agency lacks a “basic underpinning for managing federal programs,” according to the GAO. An inclusive risk assessment could help identify the highest risks and prioritize actions accordingly, providing a clearer direction for cybersecurity efforts.
EPA officials claim that while they have assessed threats and vulnerabilities, these efforts have not been consolidated into a comprehensive strategy. The GAO also noted the absence of defined cybersecurity goals, objectives, and performance metrics within the EPA’s plans. For instance, although the EPA aims for 100% of systems using certain technologies to have cybersecurity programs, it has not clearly identified or prioritized steps to achieve this target.
Furthermore, coordination issues have emerged as a significant hurdle. The Cybersecurity and Infrastructure Security Agency (CISA) has not fully integrated its cybersecurity expertise with the EPA’s water sector knowledge. This lack of coordination has led to inefficiencies and gaps in addressing cybersecurity threats.
The EPA also faces challenges with its tools for vulnerability assessments, which have not undergone external peer reviews. This lack of external validation raises questions about the credibility of these tools and their effectiveness in guiding cybersecurity measures.
EPA officials have agreed with the GAO’s recommendations to conduct a thorough risk assessment, develop a national strategy, and review the legal authorities needed to carry out risk mitigation responsibilities. The agency plans to complete the risk assessment by January 2025 and initiate a peer review of its risk tool in November.
The EPA has historically struggled with voluntary approaches to cybersecurity, facing resistance from the water sector in providing baseline information. The sector has pushed back against perceived federal overreach, complicating efforts to implement mandatory cybersecurity audits. Notably, in October 2023, the EPA withdrew a memo requiring cybersecurity audits following resistance from state authorities.
Additionally, previous reports have criticized the EPA for insufficient cybersecurity measures, attributing lapses to inadequate funding and lack of a cohesive strategy. The Cyberspace Solarium Commission recommended a significant increase in cybersecurity spending, but the EPA’s budget allocations have fallen short. This historical context underscores the ongoing challenges the agency faces in securing the water sector.
The EPA’s current cybersecurity initiatives need substantial improvements to effectively protect the water sector against sophisticated cyber threats. Implementing the GAO’s recommendations could enhance the agency’s ability to manage risks and safeguard critical infrastructure. A comprehensive national strategy, supported by adequate funding and resources, is crucial for addressing the cybersecurity vulnerabilities in the water sector.
